CVE-2026-34725
Stored XSS in DbGate Enables Remote and Local Code Execution
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dbgate | dbgate | From 7.0.0 (inc) to 7.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34725 is a stored Cross-Site Scripting (XSS) vulnerability in DbGate versions 7.0.0 to before 7.1.5. It occurs because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization in the applicationIcon field.
In the web UI, this allows an attacker to execute arbitrary scripts in another user's browser session. In the Electron desktop app, due to insecure configuration (nodeIntegration: true and contextIsolation: false), this vulnerability escalates to local code execution, allowing the attacker to run arbitrary code on the victim's machine.
The vulnerability arises from the unsafe rendering path where SVG strings starting with <svg are injected directly into the DOM without sanitization, enabling malicious payloads embedded in SVG or HTML to execute.
How can this vulnerability impact me? :
This vulnerability can have severe impacts depending on the usage context of DbGate.
- In the web application, it allows attackers to execute arbitrary JavaScript in the victim's browser, which can lead to token theft, session hijacking, and performing privileged actions on behalf of the user.
- In the Electron desktop app, the vulnerability can escalate to local code execution due to unsafe Electron settings, allowing attackers to execute arbitrary code on the victim's machine with access to Node.js and Electron APIs.
Overall, this can compromise confidentiality, integrity, and availability of data and systems accessed through DbGate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the applicationIcon field in DbGate app definitions for malicious SVG or HTML content that includes script execution payloads. Since the vulnerability arises from attacker-controlled SVG icon strings rendered without sanitization, detection involves checking for SVG strings starting with <svg that contain suspicious JavaScript or event handlers.
Specifically, you can search for app definition JSON files on disk that contain the applicationIcon field with embedded SVG or HTML tags that include JavaScript event handlers such as onerror.
Example commands to detect suspicious payloads might include:
- Using grep to find SVG tags with event handlers in app definition files: grep -r --include='*.json' '<svg' /path/to/dbgate/apps | grep -i 'onerror\|javascript'
- Searching for applicationIcon fields containing suspicious HTML: grep -r --include='*.json' 'applicationIcon' /path/to/dbgate/apps | grep '<img\|<svg'
Additionally, monitoring web UI traffic for unexpected script execution or Electron app behavior anomalies may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade DbGate to version 7.1.5 or later, where the vulnerability has been patched by sanitizing SVG icon content using DOMPurify.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Audit and remove any suspicious or untrusted applicationIcon entries in app definitions that contain raw SVG or HTML.
- Restrict permissions to modify or create app definitions to trusted users only.
- Disable or restrict usage of the Electron desktop app until patched, as it allows local code execution due to insecure configuration.
Applying these steps reduces the risk of exploitation until the official patch can be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in DbGate allows arbitrary JavaScript execution in a victim's browser session and local code execution in the Electron desktop app. This can lead to token theft, session hijacking, and unauthorized privileged actions, which may result in unauthorized access to sensitive data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could lead to violations of data protection requirements mandated by these regulations.